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ABSTRACT 



An audit was conducted of the State University of New York 
(SUNY) College at Potsdam, evaluating controls over access to student 
accounts and the collection of revenue at remote sites for fiscal year 
1997-98. The objectives of the financial-related audit were to determine 
whether SUNY's controls over access to student accounts were adequate enough 
to ensure the integrity of student revenue and collection data. The audit 
also tried to determine whether SUNY's controls over cash collections at 
remote sites were effective in ensuring that collections were properly 
recorded and deposited. Weaknesses were identified in SUNY's system of 
internal controls over access to student accounts. The audit found that some 
individuals have access that is incompatible with their other job duties, and 
that others have greater access than they need to perform their jobs. 

However, the audit found no instances in which unauthorized persons adjusted 
student accounts, and the conducted tests did not identify any significant 
transactions that were not properly supported. The audit also revealed that 
controls over cash collections at some remote collection sites need to be 
improved to ensure that all receipts are properly recorded and deposited. 
Included are recommendations for rectifying the above situations. (AS) 
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A.E. SMITH STATE OFFICE BUILDING 

Albany, New York 12236 



November 12, 1998 



Dr. John W. Ryan 
Chancellor 

State University of New York 
State University Plaza 
Albany, NY 12246 



Re: Selected Financial Management Practices of 

the State University of New York College at 
Potsdam 
Report 97-S-54 

Dear Dr. Ryan: 

Pursuant to the State Comptroller’s authority as set forth in Article V, Section 1 of the State 
Constitution and Article II, Section 8 of the State Finance Law, we have audited selected financial 
management practices of the State University of New York College at Potsdam. Our audit covered 
the period July 1, 1997 through June 30, 1998. 
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A. Background 

The State University of New York (SUNY) College at Potsdam (College) is one of SUNY’s 
13 colleges of arts and sciences. The College originated as the St. Lawrence Academy in 1816, 
continued as Potsdam Normal School in 1867, and then as Potsdam State Teachers College in 1942. 
The College became part of SUNY in 1948. The College offers bachelor’s and master’s degrees in 
more than 35 areas of liberal arts studies, music and teacher education, and it offers several special 
academic programs. During the Spring 1998 semester, the College had 3,323 full-time and 574 part- 
time students. 

For the period July 1, 1997 through June 30, 1998, College revenue collections from tuition, 
miscellaneous fees and fines, other sponsored programs, room rent, college fees, meal plans and other 
sources totaled about $28.4 million. The College Bursar’s Office deposited over $16 million of this 
amount into the College’s local depository bank. The balance of the revenue, which is primarily 
student financial aid, is deposited directly into an account maintained by SUNY System 
Administration. Of the $16 million deposited locally, the Bursar’s Office collected $14.4 million, with 
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the remaining $1.6 million collected by various campus remote locations and forwarded to the Bursar. 
The College reported student accounts receivable of almost $2.2 million as of June 30, 1 998. Of this 
amount, $400,000 related to the Summer 1998 semester, $700,000 related to previous semesters, and 
$1.1 million has been referred to the Attorney General for collection. 

The College uses an integrated database computer system called Banner which affords on-line 
access to update and to view information. Banner contains all student accounts information including 
course registrations, student billings and collections, financial aid, refunds, room assignments, meal 
plans, holds on student accounts and student grades. Banner is linked to the College’s accounting 
system and records collections remitted to the Bursar’s Office from remote cash sites. Banner is 
designed to restrict user access to various data screens and to various activities such as changing 
student accounts. As of June 30, 1998, 408 users had on-line access to Banner. There were 24 users 
who could update student accounts, and another 105 users who could query student accounts. The 
database administrator, one programmer and the Assistant Director of Business Affairs had 
unrestricted access to change student accounts information using Banner. The database administrator 
established access for all Banner users. 

B. Audit Scope. Objectives, and Methodology 

We audited College controls over access to student accounts and the collection of revenue 
at remote sites for the period July 1, 1997 through June 30, 1998. The objectives of our financial- 
related audit were to determine whether the College’s controls over access to student accounts were 
adequate to ensure the integrity of student revenue and collection data, and whether the College’s 
controls over cash collections at remote sites were sufficient to ensure that collections are properly 
recorded and timely deposited. To accomplish our objectives, we interviewed College officials, 
reviewed relevant College procedures and examined selected student account data. To assist us in 
testing controls over access to student accounts, College personnel provided us with student account 
and registration information extracted from the College’s data files related to the Summer 1997, Fall 
1997 and Spring 1998 semesters. Using database diagnostic software, we isolated certain 
adjustments made to student accounts, reviewed samples of these adjustments and examined 
supporting documentation to ensure the adjustments were made in accordance with College 
procedures. We also examined the use of controls to limit computer access to student account data. 
We did not review access controls related to financial aid, which also affects student accounts, or 
student grades. Finally, we surveyed College departments to identify remote collection sites on 
campus and we reviewed cash controls at five departments with material cash collections. 

We conducted our audit in accordance with generally accepted government auditing 
standards. Such standards require that we plan and perform our audit to adequately access those 
operations of the College that are included within our audit scope. Further, these standards require 
that we review and report on those laws, rules and regulations that are relevant to the College’s 
operations included in our audit scope. An audit includes examining, on a test basis, evidence 
supporting transactions recorded in the accounting records and applying such auditing procedures 
as we consider necessary in the circumstances. An audit also includes assessing the estimates, 
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decisions and judgments made by management. We believe that our audit provides a reasonable basis 
for our findings, conclusions and recommendations. 

We used a risk based approach when selecting activities to be audited. This approach focuses 
our audit efforts on those activities we have identified through a preliminary survey as having the 
greatest probability of needing improvement. Consequently, by design, finite audit resources are used 
to identify where and how improvements can be made. Thus, little audit effort is devoted to 
reviewing operations that may be relatively efficient or effective. As a result, our audit reports are 
prepared on an “exception basis." This report, therefore, highlights those areas needing improvement 
and does not address activities that may be functioning properly. 

C. Internal Control and Compliance Summary 

Our consideration of the College’s internal control structure focused on controls over access 
to student accounts and remote site revenue collections. We identified certain weaknesses in these 
controls which we identify in the sections of this report entitled “Access Controls Over Student 
Accounts" and “Remote Site Cash Collections." We did not identify any instances of noncompliance 
with applicable laws, rules or regulations. 

D. Results of Audit 



We identified weaknesses in the College’s system of internal controls over access to student 
accounts using Banner. We found that some individuals have access that is incompatible with their 
other job duties, and that others have greater access than they need to perform their jobs. However, 
we did not find any instances in which unauthorized persons adjusted student accounts, and our tests 
did not identify any significant transactions that were not properly supported. We also found that 
controls over cash collections at some remote collection sites need to be improved to ensure that all 
receipts are properly recorded and deposited. 

1. Access Controls Over Student Accounts 

Computer access controls should provide reasonable assurance that computer resources are 
protected against unauthorized modification, disclosure, loss, or impairment. This is accomplished 
by providing users with only the access they need to perform their duties; limiting access to sensitive 
resources, such as security software programs; and by not establishing access that permits employees 
to perform incompatible functions. However, we found that some College employees routinely 
perform functions on Banner that are incompatible with their other job duties, and that other 
employees have greater access to student accounts than is needed to perform their duties. These 
control weaknesses represent a significant risk that the integrity of student revenue and collection data 
could be compromised. 
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Incompatible Functions 

To adequately separate incompatible duties, employees with responsibility for collecting 
payments from students should not have the responsibility of adjusting charges on student accounts. 
Ideally, the Bursar’s Office should be responsible for collecting payments and other offices should 
be responsible for adjusting charges on student accounts. For example, adjustments to tuition charges 
that result from changes in the number of credit hours taken by students should originate only in the 
Registrar’s Office. Similarly, changes to room charges should be initiated only by the Residence Life 
Office. However, College officials have not separated the responsibilities of collecting payments from 
the responsibilities of adjusting charges on student accounts. We found that all six Bursar’s Office 
employees have access to student accounts which allows them to not only collect and record 
payments, but also to adjust certain charges and to issue refunds to students. For example, Bursar 
Office employees can remove (manually adjust) student charges for hospitalization insurance, alumni 
dues, health fees and orientation fees. Bursar’s Office staff also manually adjust room, meal and 
tuition charges when Banner does not properly adjust the charges. 

According to the Bursar, no one in the Bursar’s Office can change a student’s registered 
hours, which would remove the tuition charge from the student’s account. Also, if the tuition charge 
on a student account is not consistent with the student’s registered hours, the Banner registration 
process adds the tuition charge back to the student’s account. However, we found that all staff in 
the Bursar’s Office can delete a tuition charge. Moreover, if the tuition charge is deleted after the 
Banner registration process has been executed, the student’s account will remain inconsistent with 
the student’s registered hours and the discrepancy will not be detected. Therefore, ability of Bursar 
staff to delete a tuition charge should be tightly controlled and restricted. 

We analyzed the College’s student account database for the period July 1, 1997 to June 30, 
1998, to determine the number and dollar value of adjustments made by cashiers and other staff in 
the Bursar’s Office during this period. The following chart summarizes the results of our analysis. 



Charge Type 


Number of 
Transactions 


Amount of 
Adjustments 


Tuition 


283 


$ 202,620 


Meals 


136 


$ 22,935 


Room 


309 


$ 30,296 


Miscellaneous (e g., health, alumni, orientation fees) 


6,796 


$ 834,419 


Total 


7,524 


$1,090,270 



We also tested transactions from the Spring 1998 semester that reduced charges on student 
accounts to verify that these were supported by appropriate documentation. We reviewed 10 
reductions to room charges, 5 reductions in tuition, 26 waivers of and 22 additional adjustments to 
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the health fee, and all 56 transactions related to the orientation fee. We found that all transactions 
were processed by Bursar’s Office staff authorized to adjust these charges, and that all but three 
transactions were properly supported with documentation. Follow-up showed the three 
undocumented transactions were appropriate. 

While our tests did not identify unauthorized transactions or significant numbers of 
transactions that were not supported by documentation, we believe that having the Bursar’s Office 
staff perform incompatible functions poses a significant risk that College officials should address in 
order to protect assets and to limit potential processing errors. The College should separate, to the 
extent practical, the payment collecting, recording, adjusting and refunding functions, and should 
increase supervisory oversight where functions cannot be separated. 

During our review of the reductions in tuition charges, we found that one of the reasons 
Bursar’s Office staff intervene to make these adjustments is that Banner is not operating as efficiently 
as it could. For example, while most students can obtain full or partial tuition refunds for course 
withdrawals during only a limited time at the beginning of the semester, certain students in Federally- 
funded programs can obtain full refunds for withdrawals up to ten weeks into the semester. Because 
Banner is not programmed to recognize this class of withdrawals, it does not generate a full refund 
for such students. Therefore, the Bursar’s Office must manually adjust these charges. We found that 
31 such withdrawals had been manually adjusted. Programming Banner to accommodate' these 
transactions could reduce the need for Bursar’s Office staff to perform these incompatible adjustment 
functions. 

Further, we found that Banner does not always provide specific accountability for 
transactions. For example, we reviewed eight reductions to room charges and all resident assistant 
exemptions for the Spring 1998 semester that were initiated by the Residence Life Office. We 
determined that all transactions reviewed were properly supported and properly authorized. 
However, Banner showed most of these transactions as performed by the Banner programmer rather 
than by the individual actually entering the transaction. To provide proper accountability for 
transactions and ensure they are performed by authorized employees in accordance with the proper 
separation of duties, Banner should indicate the user who initiates each transaction. 

Access Levels Greater Than Needed 

We also found that certain employees have been given greater access to student accounts than 
is needed for them to perform their duties. For example, some cashiers in the Bursar’s Office have 
the ability to process a refund on a student account even though the College has not approved these 
employees to perform these transactions. Although our analysis of the College’s student account 
database did not find any instance in which a cashier had processed a refund, we believe the College 
should restrict cashiers from such access. 
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In addition, staff in the Residence Life Office have access to adjust meal plan charges, which 
is normally a function of the Potsdam Auxiliary and College Education Service (PACES) Office. 
Likewise, PACES Office staff have access to adjust room charges, which is a function of Residence 
Life. The transactions of these two offices were recorded as originating with the Banner programmer 
because of the previously described problem with establishing user accountability for certain 
transactions. Therefore, we could not determine which individuals from which offices made 
adjustments to room and meal plan charges. Since staff in these offices have greater access than 
necessary and can adjust student accounts without being identified, we believe there is significant risk 
that unauthorized transactions could occur. 

2. Remote Site Cash Collections 

Of the 59 College departments that we surveyed, 27 reported collection of cash. We 
reviewed controls and procedures at five of these departments which have more significant cash 
collections: the Office of Continuing Education (Continuing Education), the Physical Plant, the 
Registrar’s Office, the Health Services Office, and the Telecommunications Office. For three of the 
departments, we found a number of internal control weaknesses which increase risk for loss of cash 
and for inaccurate revenue reporting. The following paragraphs detail our observations at these three 
departments. 

Continuing Education officials report that their office receives between $250,000 and 
$400,000 of cash receipts annually for providing summer camp programs, non-credit courses, rental 
of college facilities and food services to outside parties. Payments collected for camps and non-credit 
courses are forwarded to the Bursar. Payments for rental of College facilities and food services are 
forwarded to PACES. Our examination of Continuing Education cash collections found the 
following weaknesses which put cash at risk of loss: 

• No separation of duties is in place over revenues pertaining to PACES. The same 
individual controls all aspects of the PACES revenue from billing to deposit. This 
individual does not use standard invoice forms to bill for services and does not issue 
receipts for payments. 

• Press-numbered receipt forms issued by the Business Office are not used to account 
for payments for camps and non-credit courses. Instead, Continuing Education 
program staff use their own computer software to record remittances for these 
services. However, our tests of the related remittance records from this software 
showed 55 breaks in the sequence of receipts and hundreds of missing and 
unaccounted for receipt numbers. We found two instances of the duplicate use of a 
receipt number in connection with camp revenues. We also found two instances 
where receipt records referenced campus identification numbers for which the 
software recorded no related registrations. The software also recorded a receipt 
which we could not trace to a deposit. We conclude that the software being used is 
presently not effective for controlling receipts. Unless the software is enhanced to 
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provide appropriate control, Continuing Education should use Business Office receipt 
forms. 

• Staff do not restrictively endorse checks upon receipt. Instead, staff wait until a 
deposit slip is prepared, thereby increasing the opportunity to divert a payment. 

Physical Plant officials report that their department receives and deposits about $90,000 in 
revenue each year. The payments are for duplicating and printing services, vehicle rentals and 
College office supplies issued to non-State entities such as PACES. Our examination of Physical 
Plant cash controls found the following weaknesses over the receipt and deposit of payments: 

• The duties of handling cash from central services and vehicle rentals are assigned to 
the same person who prepares the financial records for these services and who 
controls the software that accounts for the revenues from these activities. Combining 
these incompatible duties greatly increases the risk of undetected loss of revenues. 
Furthermore, there is no compensating supervisory review of the cashiering, billing, 
and accounting functions performed by this individual. 

• Our cash count showed the deposits are not made timely. On June 17, 1998, we 
found checks dated as early as May 12, 1998 that were still on hand. The checks were 
restrictively endorsed, but a related receipt form had not been prepared. 

Registrar’s Office officials report that their office receives and deposits approximately $30,000 
per year primarily from charges for fulfilling transcript requests by mail or over the counter. We 
found the following weaknesses over the receipt and deposit of the Registrar revenues: 

• There is no separation of the incompatible duties of receiving transcript requests, 
processing the requests and making the deposits. 

• There is $5 fee for processing a transcript issuance request; but certain requests, such 
as the initial request by a student, are free. However, the Registrar does not reconcile 
requests to payments to determine that all revenues that are supposed to be obtained, 
are actually accounted for. 

• Banner issues a transcript even if the staff person processing the request fails to 
record a payment reference or a receipt number. This lack of accountability increases 
the risk that a transcript processor could issue a transcript to a student and divert the 
resulting student payment without detection. 

• Checks received over the counter are not restrictively endorsed until the weekly 
deposit is prepared. During particulary busy times of the year in the Registrar’s 
Office, a large volume of small denomination checks could be on hand without 
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restrictive endorsement for several days. Untimely restrictive endorsement of checks 
further risks loss of revenues. 

In trying to determine the causes for these control weaknesses, we noted that the Bursar has 
established and distributed guidelines over the collection and deposit of cash at the College’s remote 
sites. These guidelines direct staff to ensure that checks are payable to the College, are restrictively 
endorsed and are deposited on a regular basis. However, as noted in the previous description of 
departments’ cash collection controls, there is noncompliance with these guidelines in certain 
instances. In addition, we observed that the guidelines do not provide specific instructions about the 
proper separation of duties and supervisory oversight of the revenue collection process. Therefore, 
the weaknesses we observed in these areas, to some extent, may be the result of lack of management 
direction. Although the Bursar requires that each remote collection site use common receipt forms 
issued by the Business Office, our findings support that this requirement is not being complied with 
in certain instances. In addition, neither the Business Office nor the Bursar periodically ensures that 
prescribed receipt forms are being used and are accounted for. 

Recommendations 



1. Assess the risks associated with allowing individuals who collect and record student 
payments to also have the computer access capability to adjust student charges. Whenever 
possible, provide for separation of these incompatible duties. Whenever such separation is 
not possible, provide for increased supervisory oversight as a compensating control. 

2. Take steps to ensure that Banner always can detect any inconsistency between a student ’s 
tuition charge and the student ’s registered hours. 

3. Ensure that all transactions adjusting student accounts are supported with adequate 
documentation explaining and authorizing the adjustment. 

4. Take steps needed to change Banner to ensure that it provides for the accurate processing 
of refunds for all classes of withdrawals and for the proper identification of the initiator of 
all transactions that adjust student charges. 

5. Discontinue providing Bursar cashiers with the capability to use Banner to issue a student 
refund. 

6. Restrict the ability to adjust meal plan charges and to adjust room charges to the 
appropriate users in PACES and the Residence Life Office, respectively. 

7. Strengthen cash controls in Continuing Education, the Physical Plant and the Registrar ’s 
Office to address the weaknesses noted in this report. 
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8. Provide guidelines on how to separate incompatible duties at remote cash collection sites 
and how to use increased supervisory oversight to compensate for those instances where 
separation of incompatible duties can not be obtained. 

9. Ensure that Bursar policy and procedures pertaining to use of sequentially numbered receipt 
forms is followed. Before permitting use of alternative receipting procedures, ensure such 
procedures maintain desired control and accountability. Periodically determine that receipt 
forms are being used and are accounted for. 

A draft copy of this report was provided to SUNY System Administration and College 
officials for their review and comment. Their comments have been considered in the preparation of 
this report and are included as Appendix A. Officials agree with all of our recommendations and they 
indicate that they are now in the process of implementing them. 

Within 90 days after final release of this report, as required by Section 170 of the Executive 
Law, the Chancellor of the State University of New York shall report to the Governor, the State 
Comptroller, and leaders of the Legislature and fiscal committees, advising what steps were taken to 
implement the recommendations contained herein, and where recommendations were not 
implemented, the reasons therefor. 

Major contributors to this report were Bill Nealon, Art Smith, Don Hespelt, Wayne Bolton, 
Amy Pertgen, Mark Radley and Nancy Varley. 

We wish to thank the management and staff of SUNY College at Potsdam for the courtesies 
and cooperation extended to our auditors during this audit. 



Very truly yours, 



\ 



aroe 



Ox^hjc 



Jerry Barker 
Audit Director 



\ 



cc: Robert L. King, Division of the Budget 

Dr. John A. Fallon, III, President, College at Potsdam 

Michael D. Lewis, Director of Business Affairs, College at Potsdam 
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Appendix A 



State University College at Potsdam 
Selected Financial Management Practices 
97-S-54 



Recommendations fPageaii-9} 



(OSC) 1. Assess the risks associated with allowing individuals who collect and record 
student payments to also have the computer access capability to adjust student 
charges. Whenever possible, provide for separation of these incompatible duties. 
Whenever such separation is not possible, provide for increased supervisory 
oversight as a compensating control. 

(SUCP) 1 . The College agrees. We are currently assessing the impact of removing the ability 
to adjust student charges from those individuals who collect and record student 
payments. 

(OSC) 2. Take steps to ensure that BANNER always can detect any inconsistency between 
a student’s tuition charge and the student’s registered hours. 

(SUCP) 2. The College agrees. The Bursar and the Computer Center are working on a query 
that would identify any inconsistency between tuition charges and registered hours. 

(OSC) 3. Ensure that all transactions adjusting student accounts are supported with adequate 
documentation explaining and authorizing the adjustment. 

(SUCP) 3. The College agrees. We have implemented this recommendation. Documentation, 
and authorization are required for transactions that adjust student accounts. 



(OSC) 4. Take steps needed to change BANNER to ensure that it provides for the accurate 
processing of refunds for all classes of withdrawals and for the proper identification 
of the initiator of all transactions that adjust student charges. 



(SUCP) 4. The College agrees. The BANNER product does have a weakness in that refunds 
based on withdrawals are not always calculated as SUNY would expect. Ail of the 
SUNY schools working with BANNER have asked the company to provide this fix 
through our Functional Area User Group. This group is meeting in October with 
a representative of the company and this problem is on the agenda. We are 
continuing to work towards a solution. 

(OSC) 5. Discontinue providing Bursar cashiers with the capability to use BANNER to issue 
a student refund. 



5. The College agrees. This recommendation has already been implemented. 



(SUCP) 



(OSC) 6. 

(SUCP) 6 
(OSC) 7 

(SUCP) 7 

(OSC) 8 

(SUCP) 8 
(OSC) 9 

(SUCP) S 
(SU) 1 



Restrict the ability to adjust meal plan charges and to adjust room charges to the 
appropriate users in PACES and the Residence Life Office, respectively. 

The College agrees. This recommendation has already been implemented. 

Strengthen cash controls in Continuing Education, the Physical Plant, and the 
Registrar's Office to address the weaknesses noted in this report. 

The College agrees. These issues have been discussed with the areas involved and 
many controls have been modified and improved. Action will continue on this issue 
until all concerns are addressed. 

Provide guidelines on how to separate incompatible duties at remote cash 
collection sites and how to use increased supervisory oversight to compensate for 
these instances where separation of incompatible duties cannot be obtained. 

The College agrees. These guidelines are being developed and will be distributed 
to all remote cash collection sites upon their completion. 

Ensure that Bursar policy and procedures pertaining to use of sequentially 
numbered receipt forms are followed. Before permitting use of alternative 
receipting procedures, ensure such procedures maintain desired control and 
accountability; Periodically determine that receipt forms are being used and 
accounted for. 

The College agrees. Procedures for sequentially numbered receipts will be reissued 
by the Business Office. Alternative procedures will be reviewed for proper control 
and periodic checks will be done to determine that receipt forms are being used and 
accounted for. 

-9. We agree with the recommendations and the College’s responses thereto. 
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